1/* 2 * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * CertExtensions.h -- X.509 Cert Extensions as C structs 24 */ 25 26#ifndef _CERT_EXTENSIONS_H_ 27#define _CERT_EXTENSIONS_H_ 28 29#include <Security/cssmtype.h> 30 31/*** 32 *** Structs for declaring extension-specific data. 33 ***/ 34 35/* 36 * GeneralName, used in AuthorityKeyID, SubjectAltName, and 37 * IssuerAltName. 38 * 39 * For now, we just provide explicit support for the types which are 40 * represented as IA5Strings, OIDs, and octet strings. Constructed types 41 * such as EDIPartyName and x400Address are not explicitly handled 42 * right now and must be encoded and decoded by the caller. (See exception 43 * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field 44 * represents the BER contents octets; CE_GeneralName.name.Length is the 45 * length of the contents; the tag of the field is not needed - the BER 46 * encoding uses context-specific implicit tagging. The berEncoded field 47 * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE. 48 * 49 * In the case of a GeneralName in the form of a Name, we parse the Name 50 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the 51 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to 52 * sizeof(CSSM_X509_NAME). In this case berEncoded is false. 53 * 54 * In the case of a GeneralName in the form of a OtherName, we parse the fields 55 * into a CE_OtherName and place a pointer to the CE_OtherName in the 56 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to 57 * sizeof(CE_OtherName). In this case berEncoded is false. 58 * 59 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 60 * 61 * GeneralName ::= CHOICE { 62 * otherName [0] OtherName 63 * rfc822Name [1] IA5String, 64 * dNSName [2] IA5String, 65 * x400Address [3] ORAddress, 66 * directoryName [4] Name, 67 * ediPartyName [5] EDIPartyName, 68 * uniformResourceIdentifier [6] IA5String, 69 * iPAddress [7] OCTET STRING, 70 * registeredID [8] OBJECT IDENTIFIER} 71 * 72 * OtherName ::= SEQUENCE { 73 * type-id OBJECT IDENTIFIER, 74 * value [0] EXPLICIT ANY DEFINED BY type-id } 75 * 76 * EDIPartyName ::= SEQUENCE { 77 * nameAssigner [0] DirectoryString OPTIONAL, 78 * partyName [1] DirectoryString } 79 */ 80typedef enum __CE_GeneralNameType { 81 GNT_OtherName = 0, 82 GNT_RFC822Name, 83 GNT_DNSName, 84 GNT_X400Address, 85 GNT_DirectoryName, 86 GNT_EdiPartyName, 87 GNT_URI, 88 GNT_IPAddress, 89 GNT_RegisteredID 90} CE_GeneralNameType; 91 92typedef struct __CE_OtherName { 93 CSSM_OID typeId; 94 CSSM_DATA value; // unparsed, BER-encoded 95} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 96 97typedef struct __CE_GeneralName { 98 CE_GeneralNameType nameType; // GNT_RFC822Name, etc. 99 CSSM_BOOL berEncoded; 100 CSSM_DATA name; 101} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 102 103typedef struct __CE_GeneralNames { 104 uint32 numNames; 105 CE_GeneralName *generalName; 106} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 107 108/* 109 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 110 * 111 * AuthorityKeyIdentifier ::= SEQUENCE { 112 * keyIdentifier [0] KeyIdentifier OPTIONAL, 113 * authorityCertIssuer [1] GeneralNames OPTIONAL, 114 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 115 * 116 * KeyIdentifier ::= OCTET STRING 117 * 118 * CSSM OID = CSSMOID_AuthorityKeyIdentifier 119 */ 120typedef struct __CE_AuthorityKeyID { 121 CSSM_BOOL keyIdentifierPresent; 122 CSSM_DATA keyIdentifier; 123 CSSM_BOOL generalNamesPresent; 124 CE_GeneralNames *generalNames; 125 CSSM_BOOL serialNumberPresent; 126 CSSM_DATA serialNumber; 127} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 128 129/* 130 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 131 * SubjectKeyIdentifier ::= KeyIdentifier 132 * 133 * CSSM OID = CSSMOID_SubjectKeyIdentifier 134 */ 135typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 136 137/* 138 * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 139 * 140 * KeyUsage ::= BIT STRING { 141 * digitalSignature (0), 142 * nonRepudiation (1), 143 * keyEncipherment (2), 144 * dataEncipherment (3), 145 * keyAgreement (4), 146 * keyCertSign (5), 147 * cRLSign (6), 148 * encipherOnly (7), 149 * decipherOnly (8) } 150 * 151 * CSSM OID = CSSMOID_KeyUsage 152 * 153 */ 154typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 155 156#define CE_KU_DigitalSignature 0x8000 157#define CE_KU_NonRepudiation 0x4000 158#define CE_KU_KeyEncipherment 0x2000 159#define CE_KU_DataEncipherment 0x1000 160#define CE_KU_KeyAgreement 0x0800 161#define CE_KU_KeyCertSign 0x0400 162#define CE_KU_CRLSign 0x0200 163#define CE_KU_EncipherOnly 0x0100 164#define CE_KU_DecipherOnly 0x0080 165 166/* 167 * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } 168 * 169 * -- reasonCode ::= { CRLReason } 170 * 171 * CRLReason ::= ENUMERATED { 172 * unspecified (0), 173 * keyCompromise (1), 174 * cACompromise (2), 175 * affiliationChanged (3), 176 * superseded (4), 177 * cessationOfOperation (5), 178 * certificateHold (6), 179 * removeFromCRL (8) } 180 * 181 * CSSM OID = CSSMOID_CrlReason 182 * 183 */ 184typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 185 186#define CE_CR_Unspecified 0 187#define CE_CR_KeyCompromise 1 188#define CE_CR_CACompromise 2 189#define CE_CR_AffiliationChanged 3 190#define CE_CR_Superseded 4 191#define CE_CR_CessationOfOperation 5 192#define CE_CR_CertificateHold 6 193#define CE_CR_RemoveFromCRL 8 194 195/* 196 * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 197 * 198 * SubjectAltName ::= GeneralNames 199 * 200 * CSSM OID = CSSMOID_SubjectAltName 201 * 202 * GeneralNames defined above. 203 */ 204 205/* 206 * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 207 * 208 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId* 209 * 210 * KeyPurposeId ::= OBJECT IDENTIFIER 211 * 212 * CSSM OID = CSSMOID_ExtendedKeyUsage 213 */ 214typedef struct __CE_ExtendedKeyUsage { 215 uint32 numPurposes; 216 CSSM_OID_PTR purposes; // in Intel pre-encoded format 217} CE_ExtendedKeyUsage; 218 219/* 220 * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 221 * 222 * BasicConstraints ::= SEQUENCE { 223 * cA BOOLEAN DEFAULT FALSE, 224 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 225 * 226 * CSSM OID = CSSMOID_BasicConstraints 227 */ 228typedef struct __CE_BasicConstraints { 229 CSSM_BOOL cA; 230 CSSM_BOOL pathLenConstraintPresent; 231 uint32 pathLenConstraint; 232} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 233 234/* 235 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 236 * 237 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 238 * 239 * PolicyInformation ::= SEQUENCE { 240 * policyIdentifier CertPolicyId, 241 * policyQualifiers SEQUENCE SIZE (1..MAX) OF 242 * PolicyQualifierInfo OPTIONAL } 243 * 244 * CertPolicyId ::= OBJECT IDENTIFIER 245 * 246 * PolicyQualifierInfo ::= SEQUENCE { 247 * policyQualifierId PolicyQualifierId, 248 * qualifier ANY DEFINED BY policyQualifierId } 249 * 250 * -- policyQualifierIds for Internet policy qualifiers 251 * 252 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 253 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 254 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 255 * 256 * PolicyQualifierId ::= 257 * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) 258 * 259 * Qualifier ::= CHOICE { 260 * cPSuri CPSuri, 261 * userNotice UserNotice } 262 * 263 * CPSuri ::= IA5String 264 * 265 * UserNotice ::= SEQUENCE { 266 * noticeRef NoticeReference OPTIONAL, 267 * explicitText DisplayText OPTIONAL} 268 * 269 * NoticeReference ::= SEQUENCE { 270 * organization DisplayText, 271 * noticeNumbers SEQUENCE OF INTEGER } 272 * 273 * DisplayText ::= CHOICE { 274 * visibleString VisibleString (SIZE (1..200)), 275 * bmpString BMPString (SIZE (1..200)), 276 * utf8String UTF8String (SIZE (1..200)) } 277 * 278 * CSSM OID = CSSMOID_CertificatePolicies 279 * 280 * We only support down to the level of Qualifier, and then only the CPSuri 281 * choice. UserNotice is transmitted to and from this library as a raw 282 * CSSM_DATA containing the BER-encoded UserNotice sequence. 283 */ 284 285typedef struct __CE_PolicyQualifierInfo { 286 CSSM_OID policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE 287 CSSM_DATA qualifier; // CSSMOID_QT_CPS: IA5String contents 288 // CSSMOID_QT_UNOTICE : Sequence contents 289} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 290 291typedef struct __CE_PolicyInformation { 292 CSSM_OID certPolicyId; 293 uint32 numPolicyQualifiers; // size of *policyQualifiers; 294 CE_PolicyQualifierInfo *policyQualifiers; 295} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 296 297typedef struct __CE_CertPolicies { 298 uint32 numPolicies; // size of *policies; 299 CE_PolicyInformation *policies; 300} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 301 302/* 303 * netscape-cert-type, a bit string. 304 * 305 * CSSM OID = CSSMOID_NetscapeCertType 306 * 307 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc. 308 */ 309typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 310 311/* 312 * CRLDistributionPoints. 313 * 314 * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } 315 * 316 * cRLDistributionPoints ::= { 317 * CRLDistPointsSyntax } 318 * 319 * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 320 * 321 * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName 322 * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be - 323 * because the underlying type also uses an implicit tag for distinguish 324 * between CHOICEs. 325 * 326 * DistributionPoint ::= SEQUENCE { 327 * distributionPoint [0] DistributionPointName OPTIONAL, 328 * reasons [1] ReasonFlags OPTIONAL, 329 * cRLIssuer [2] GeneralNames OPTIONAL } 330 * 331 * DistributionPointName ::= CHOICE { 332 * fullName [0] GeneralNames, 333 * nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 334 * 335 * ReasonFlags ::= BIT STRING { 336 * unused (0), 337 * keyCompromise (1), 338 * cACompromise (2), 339 * affiliationChanged (3), 340 * superseded (4), 341 * cessationOfOperation (5), 342 * certificateHold (6) } 343 * 344 * CSSM OID = CSSMOID_CrlDistributionPoints 345 */ 346 347/* 348 * Note that this looks similar to CE_CrlReason, but that's an enum and this 349 * is an OR-able bit string. 350 */ 351typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 352 353#define CE_CD_Unspecified 0x80 354#define CE_CD_KeyCompromise 0x40 355#define CE_CD_CACompromise 0x20 356#define CE_CD_AffiliationChanged 0x10 357#define CE_CD_Superseded 0x08 358#define CE_CD_CessationOfOperation 0x04 359#define CE_CD_CertificateHold 0x02 360 361typedef enum __CE_CrlDistributionPointNameType { 362 CE_CDNT_FullName, 363 CE_CDNT_NameRelativeToCrlIssuer 364} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 365 366typedef struct __CE_DistributionPointName { 367 CE_CrlDistributionPointNameType nameType; 368 union { 369 CE_GeneralNames *fullName; 370 CSSM_X509_RDN_PTR rdn; 371 } dpn; 372} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 373 374/* 375 * The top-level CRLDistributionPoint. 376 * All fields are optional; NULL pointers indicate absence. 377 */ 378typedef struct __CE_CRLDistributionPoint { 379 CE_DistributionPointName *distPointName; 380 CSSM_BOOL reasonsPresent; 381 CE_CrlDistReasonFlags reasons; 382 CE_GeneralNames *crlIssuer; 383} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 384 385typedef struct __CE_CRLDistPointsSyntax { 386 uint32 numDistPoints; 387 CE_CRLDistributionPoint *distPoints; 388} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 389 390/* 391 * Authority Information Access and Subject Information Access. 392 * 393 * CSSM OID = CSSMOID_AuthorityInfoAccess 394 * CSSM OID = CSSMOID_SubjectInfoAccess 395 * 396 * SubjAuthInfoAccessSyntax ::= 397 * SEQUENCE SIZE (1..MAX) OF AccessDescription 398 * 399 * AccessDescription ::= SEQUENCE { 400 * accessMethod OBJECT IDENTIFIER, 401 * accessLocation GeneralName } 402 */ 403typedef struct __CE_AccessDescription { 404 CSSM_OID accessMethod; 405 CE_GeneralName accessLocation; 406} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 407 408typedef struct __CE_AuthorityInfoAccess { 409 uint32 numAccessDescriptions; 410 CE_AccessDescription *accessDescriptions; 411} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 412 413/* 414 * Qualified Certificate Statement support, per RFC 3739. 415 * 416 * First, NameRegistrationAuthorities, a component of 417 * SemanticsInformation; it's the same as a GeneralNames - 418 * a sequence of GeneralName. 419 */ 420typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 421 422/* 423 * SemanticsInformation, identified as the qcType field 424 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2. 425 * Both fields optional; at least one must be present. 426 */ 427typedef struct __CE_SemanticsInformation { 428 CSSM_OID *semanticsIdentifier; 429 CE_NameRegistrationAuthorities *nameRegistrationAuthorities; 430} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 431 432/* 433 * One Qualified Certificate Statement. 434 * The statementId OID is required; zero or one of {semanticsInfo, 435 * otherInfo} can be valid, depending on the value of statementId. 436 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2), 437 * the semanticsInfo field may be present; otherwise, DER-encoded 438 * information may be present in otherInfo. Both semanticsInfo and 439 * otherInfo are optional. 440 */ 441typedef struct __CE_QC_Statement { 442 CSSM_OID statementId; 443 CE_SemanticsInformation *semanticsInfo; 444 CSSM_DATA *otherInfo; 445} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 446 447/* 448 * The top-level Qualified Certificate Statements extension. 449 */ 450typedef struct __CE_QC_Statements { 451 uint32 numQCStatements; 452 CE_QC_Statement *qcStatements; 453} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 454 455/*** CRL extensions ***/ 456 457/* 458 * cRLNumber, an integer. 459 * 460 * CSSM OID = CSSMOID_CrlNumber 461 */ 462typedef uint32 CE_CrlNumber; 463 464/* 465 * deltaCRLIndicator, an integer. 466 * 467 * CSSM OID = CSSMOID_DeltaCrlIndicator 468 */ 469typedef uint32 CE_DeltaCrl; 470 471/* 472 * IssuingDistributionPoint 473 * 474 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 475 * 476 * issuingDistributionPoint ::= SEQUENCE { 477 * distributionPoint [0] DistributionPointName OPTIONAL, 478 * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 479 * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 480 * onlySomeReasons [3] ReasonFlags OPTIONAL, 481 * indirectCRL [4] BOOLEAN DEFAULT FALSE } 482 * 483 * CSSM OID = CSSMOID_IssuingDistributionPoint 484 */ 485typedef struct __CE_IssuingDistributionPoint { 486 CE_DistributionPointName *distPointName; // optional 487 CSSM_BOOL onlyUserCertsPresent; 488 CSSM_BOOL onlyUserCerts; 489 CSSM_BOOL onlyCACertsPresent; 490 CSSM_BOOL onlyCACerts; 491 CSSM_BOOL onlySomeReasonsPresent; 492 CE_CrlDistReasonFlags onlySomeReasons; 493 CSSM_BOOL indirectCrlPresent; 494 CSSM_BOOL indirectCrl; 495} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 496 497/* 498 * NameConstraints 499 * 500 * id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 501 * 502 * NameConstraints ::= SEQUENCE { 503 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, 504 * excludedSubtrees [1] GeneralSubtrees OPTIONAL } 505 * 506 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 507 * 508 * GeneralSubtree ::= SEQUENCE { 509 * base GeneralName, 510 * minimum [0] BaseDistance DEFAULT 0, 511 * maximum [1] BaseDistance OPTIONAL } 512 * 513 * BaseDistance ::= INTEGER (0..MAX) 514 */ 515typedef struct __CE_GeneralSubtree { 516 CE_GeneralNames *base; 517 uint32 minimum; // default=0 518 CSSM_BOOL maximumPresent; 519 uint32 maximum; // optional 520} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 521 522typedef struct __CE_GeneralSubtrees { 523 uint32 numSubtrees; 524 CE_GeneralSubtree *subtrees; 525} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 526 527typedef struct __CE_NameConstraints { 528 CE_GeneralSubtrees *permitted; // optional 529 CE_GeneralSubtrees *excluded; // optional 530} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 531 532/* 533 * PolicyMappings 534 * 535 * id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 536 * 537 * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 538 * issuerDomainPolicy CertPolicyId, 539 * subjectDomainPolicy CertPolicyId } 540 * 541 * Note that both issuer and subject policy OIDs are required, 542 * and are stored by value in this structure. 543 */ 544typedef struct __CE_PolicyMapping { 545 CSSM_OID issuerDomainPolicy; 546 CSSM_OID subjectDomainPolicy; 547} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 548 549typedef struct __CE_PolicyMappings { 550 uint32 numPolicyMappings; 551 CE_PolicyMapping *policyMappings; 552} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 553 554/* 555 * PolicyConstraints 556 * 557 * id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 558 * 559 * PolicyConstraints ::= SEQUENCE { 560 * requireExplicitPolicy [0] SkipCerts OPTIONAL, 561 * inhibitPolicyMapping [1] SkipCerts OPTIONAL } 562 * 563 * SkipCerts ::= INTEGER (0..MAX) 564 */ 565typedef struct __CE_PolicyConstraints { 566 CSSM_BOOL requireExplicitPolicyPresent; 567 uint32 requireExplicitPolicy; // optional 568 CSSM_BOOL inhibitPolicyMappingPresent; 569 uint32 inhibitPolicyMapping; // optional 570} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 571 572/* 573 * InhibitAnyPolicy, an integer. 574 * 575 * CSSM OID = CSSMOID_InhibitAnyPolicy 576 */ 577typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 578 579/* 580 * An enumerated list identifying one of the above per-extension 581 * structs. 582 */ 583typedef enum __CE_DataType { 584 DT_AuthorityKeyID, // CE_AuthorityKeyID 585 DT_SubjectKeyID, // CE_SubjectKeyID 586 DT_KeyUsage, // CE_KeyUsage 587 DT_SubjectAltName, // implies CE_GeneralName 588 DT_IssuerAltName, // implies CE_GeneralName 589 DT_ExtendedKeyUsage, // CE_ExtendedKeyUsage 590 DT_BasicConstraints, // CE_BasicConstraints 591 DT_CertPolicies, // CE_CertPolicies 592 DT_NetscapeCertType, // CE_NetscapeCertType 593 DT_CrlNumber, // CE_CrlNumber 594 DT_DeltaCrl, // CE_DeltaCrl 595 DT_CrlReason, // CE_CrlReason 596 DT_CrlDistributionPoints, // CE_CRLDistPointsSyntax 597 DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint 598 DT_AuthorityInfoAccess, // CE_AuthorityInfoAccess 599 DT_Other, // unknown, raw data as a CSSM_DATA 600 DT_QC_Statements, // CE_QC_Statements 601 DT_NameConstraints, // CE_NameConstraints 602 DT_PolicyMappings, // CE_PolicyMappings 603 DT_PolicyConstraints, // CE_PolicyConstraints 604 DT_InhibitAnyPolicy // CE_InhibitAnyPolicy 605} CE_DataType; 606 607/* 608 * One unified representation of all the cert and CRL extensions we know about. 609 */ 610typedef union { 611 CE_AuthorityKeyID authorityKeyID; 612 CE_SubjectKeyID subjectKeyID; 613 CE_KeyUsage keyUsage; 614 CE_GeneralNames subjectAltName; 615 CE_GeneralNames issuerAltName; 616 CE_ExtendedKeyUsage extendedKeyUsage; 617 CE_BasicConstraints basicConstraints; 618 CE_CertPolicies certPolicies; 619 CE_NetscapeCertType netscapeCertType; 620 CE_CrlNumber crlNumber; 621 CE_DeltaCrl deltaCrl; 622 CE_CrlReason crlReason; 623 CE_CRLDistPointsSyntax crlDistPoints; 624 CE_IssuingDistributionPoint issuingDistPoint; 625 CE_AuthorityInfoAccess authorityInfoAccess; 626 CE_QC_Statements qualifiedCertStatements; 627 CE_NameConstraints nameConstraints; 628 CE_PolicyMappings policyMappings; 629 CE_PolicyConstraints policyConstraints; 630 CE_InhibitAnyPolicy inhibitAnyPolicy; 631 CSSM_DATA rawData; // unknown, not decoded 632} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 633 634typedef struct __CE_DataAndType { 635 CE_DataType type; 636 CE_Data extension; 637 CSSM_BOOL critical; 638} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 639 640#endif /* _CERT_EXTENSIONS_H_ */ 641